AWS Security ChangesHomeSearch

AWS managedservices medium security documentation change

Service: managedservices · 2025-05-10 · Security-related medium

File: managedservices/latest/userguide/ams-sec-stand-controls.md

Summary

Added 'Security group sharing' controls (20.0-20.2), updated quotation marks for consistency, and fixed minor formatting issues.

Security assessment

The new security group sharing controls (20.1-20.2) explicitly define conditions for sharing security groups between VPCs and accounts, addressing potential misconfigurations that could lead to unauthorized access. This is a security-related change as it enforces stricter access controls and risk acceptance requirements.

Diff

diff --git a/managedservices/latest/userguide/ams-sec-stand-controls.md b/managedservices/latest/userguide/ams-sec-stand-controls.md
index 6fe24f60d..1de544b92 100644
--- a//managedservices/latest/userguide/ams-sec-stand-controls.md
+++ b//managedservices/latest/userguide/ams-sec-stand-controls.md
@@ -152 +152 @@ ID | Technical standard
-4.21 | All the IAM permissions for resource type “savingsplan” can be granted to customers.  
+4.21 | All the IAM permissions for resource type "savingsplan" can be granted to customers.  
@@ -219,0 +220,3 @@ ID | Technical standard
+**20.0** | **Security group sharing**  
+20.1 | If a security group meets this security standard, then it can be shared between VPCs in the same account and between accounts in the same organization.  
+20.2 | If a security group does not meet this standard and a risk acceptance was previously required for this security group, then the use of the security group sharing feature between VPCs in the same account, or between accounts in the same organization, is not permitted without risk acceptance for that new that VPC or account.  
@@ -316 +319 @@ ID | Technical standard
-5.1 | The log file integrity mechanism must be enabled. “Log file validation” must be configured in the AWS CloudTrail trails required by AMS teams.  
+5.1 | The log file integrity mechanism must be enabled. "Log file validation" must be configured in the AWS CloudTrail trails required by AMS teams.  
@@ -337,2 +340,2 @@ ID | Technical standard
-2.4 | Any gMSA service account(s) must be added under the “Managed Service Account” Organizational Unit (OU).  
-2.5 | Any non-gMSA service account(s) must be added under the “Users→Service Accounts” OU.  
+2.4 | Any gMSA service account(s) must be added under the "Managed Service Account" Organizational Unit (OU).  
+2.5 | Any non-gMSA service account(s) must be added under the "Users→Service Accounts" OU.  
@@ -340 +343 @@ ID | Technical standard
-3.1 | Any setting under the “Windows Settings→Security Settings” GPO must not be modified if it reduces the security posture of the account in any manner from the current state.  
+3.1 | Any setting under the "Windows Settings > Security Settings" GPO must not be modified if it reduces the security posture of the account in any manner from the current state.  
@@ -346 +349 @@ ID | Technical standard
-5.1 | The log file integrity mechanism must be enabled. “Log file validation” must be configured in the AWS CloudTrail trails required by AMS teams.  
+5.1 | The log file integrity mechanism must be enabled. "Log file validation" must be configured in the AWS CloudTrail trails required by AMS teams.